BUG FIX: SSL module doesn't support chained certificates

[daniel-sullivan]

Hi All,

I've come up against an issue in one of my deployments which I've traced back to this and provide a fix for below if someone would be so kind as to submit it for me :)

At present, ssl.c loads the user's provided SSL certificate set in HS_SSLCERTFILE using SSL_CTX_use_certificate file:

openssl_use_certificate(openssl_env *env, char *file) {
  if (file)
    if (SSL_CTX_use_certificate_file(env->ctx, file, SSL_FILETYPE_PEM) > 0)
      return 1;
  syslog(LOG_ERR, "%s: could not load certificate file %s\n", strerror(errno), file);
  return 0;

This works fine as is however breaks chained certificate files (including intermediate trusts).

As per https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html , using SSL_CTX_use_certificate_file isn't recommended for this reason (see the NOTES section). There may be a good reason for using _file in which case please disregard this and I'll just go ahead with my deployment but I have attached below a modified version of ssl.c using SSL_CTX_use_certificate_chain_file instead which I have tested working with chained and unchained certificates.

Kind Regards,
Daniel Sullivan
Reticulum IT

ssl.txt